Krebs on Security

In-depth security news and investigation

Registered at SSA.GOV? Good for You, But Keep Your Guard Up

KrebsOnSecurity has long warned readers to plant your own flag at the my Social Security online portal of the U.S. Social Security Administration (SSA) — even if you are not yet drawing benefits from the agency — because identity thieves have been registering accounts in peoples’ names and siphoning retirement and/or disability funds. This is the story of a Midwest couple that took all the right precautions and still got hit by ID thieves who impersonated them to the SSA directly over the phone.

In mid-December 2017 this author heard from Ed Eckenstein, a longtime reader in Oklahoma whose wife Ruth had just received a snail mail letter from the SSA about successfully applying to withdraw benefits. The letter confirmed she’d requested a one-time transfer of more than $11,000 from her SSA account. The couple said they were perplexed because both previously had taken my advice and registered accounts with MySocialSecurity, even though Ruth had not yet chosen to start receiving SSA benefits.

The fraudulent one-time payment that scammers tried to siphon from Ruth Eckenstein’s Social Security account.

Sure enough, when Ruth logged into her MySocialSecurity account online, there was a pending $11,665 withdrawal destined to be deposited into a Green Dot prepaid debit card account (funds deposited onto a Green Dot card can be spent like cash at any store that accepts credit or debit cards). The $11,655 amount was available for a one-time transfer because it was intended to retroactively cover monthly retirement payments back to her 65th birthday.

The letter the Eckensteins received from the SSA indicated that the benefits had been requested over the phone, meaning the crook(s) had called the SSA pretending to be Ruth and supplied them with enough information about her to enroll her to begin receiving benefits. Ed said he and his wife immediately called the SSA to notify them of fraudulent enrollment and pending withdrawal, and they were instructed to appear in person at an SSA office in Oklahoma City.

The SSA ultimately put a hold on the fraudulent $11,665 transfer, but Ed said it took more than four hours at the SSA office to sort it all out. Mr. Eckenstein said the agency also informed them that the thieves had signed his wife up for disability payments. In addition, her profile at the SSA had been changed to include a phone number in the 786 area code (Miami, Fla.).

“They didn’t change the physical address perhaps thinking that would trigger a letter to be sent to us,” Ed explained.

Thankfully, the SSA sent a letter anyway. Ed said many additional hours spent researching the matter with SSA personnel revealed that in order to open the claim on Ruth’s retirement benefits, the thieves had to supply the SSA with a short list of static identifiers about her, including her birthday, place of birth, mother’s maiden name, current address and phone number.

Unfortunately, most (if not all) of this data is available on a broad swath of the American populace for free online (think Zillow, Ancestry.com, Facebook, etc.) or else for sale in the cybercrime underground for about the cost of a latte at Starbucks.

The Eckensteins thought the matter had been resolved until Jan. 14, when Ruth received a 1099 form from the SSA indicating they’d reported to the IRS that she had in fact received an $11,665 payment.

“We’ve emailed our tax guy for guidance on how to deal with this on our taxes,” Mr. Eckenstein wrote in an email to KrebsOnSecurity. “My wife logged into SSA portal and there was a note indicating that corrected/updated 1099s would be available at the end of the month. She’s not sure whether that message was specific to her or whether everyone’s seeing that.”

NOT SMALL IF IT HAPPENS TO YOU

Identity thieves have been exploiting authentication weaknesses to divert retirement account funds almost since the SSA launched its portal eight years ago. But the crime really picked up in 2013, around the same time KrebsOnSecurity first began warning readers to register their own accounts at the MySSA portal. That uptick coincided with a move by the U.S. Treasury to start requiring that all beneficiaries receive payments through direct deposit (though the SSA says paper checks are still available to some beneficiaries under limited circumstances).

More than 34 million Americans now conduct business with the Social Security Administration (SSA) online. A story this week from Reuters says the SSA doesn’t track data on the prevalence of identity theft. Nevertheless, the agency assured the news outlet that its anti-fraud efforts have made the problem “very rare.”

But Reuters notes that a 2015 investigation by the SSA’s Office of Inspector General investigation identified more than 30,000 suspicious MySSA registrations, and more than 58,000 allegations of fraud related to MySSA accounts from February 2013 to February 2016.

“Those figures are small in the context of overall MySSA activity – but it will not seem small if it happens to you,” writes Mark Miller for Reuters.

The Reuters story reminds readers to periodically use the MySSA portal to make sure that your personal information – such as date of birth and mailing address – are correct. “For current beneficiaries, if you notice that a monthly payment has not arrived, you should notify the SSA immediately via the agency’s toll-free line (1-800-772-1213) or at your local field office,” Miller advised. “In most cases, the SSA will make you whole if the theft is reported quickly.”

Another option is to use the SSA’s “Block Electronic Access” feature, which blocks any automatic telephone or online access to your Social Security record – including by you (although it’s unclear if blocking access this way would have stopped ID thieves who manage to speak with a live SSA representative). To restore electronic access, you’ll need to contact the Social Security Administration and provide proof of your identity.

This entry was posted on Friday, January 26th, 2018 at 2:43 pm and is filed under A Little Sunshine, The Coming Storm.
You can follow any comments to this entry through the RSS 2.0 feed.
Both comments and pings are currently closed.

86 comments

It always amazes me that these scammers are able to convince the IRS, SSA, and many, many other government agencies to readily hand over cash while us as the user, usually has to provide all sorts of information, DNA sample, our last three years income down to the 4th decimal, etc..etc..just to get signed up!

Evidence? Who needs evidence when you have conspiracytheory.blog <– not a real website (at least not at the time I'm writing this).

The problem with making phone access more difficult to access is that legitimate people get caught up in the dragnet, which makes people angry (including insisting it's part of an inside job and similar nuttiness).

I knew a guy who couldn't for the life of him remember any of his banking passwords and codes or anything. He spent hours each month yelling at his bank to gain access. Of course eventually he got caught by identity fraud. It was, of course, not his fault and was part of an inside job at the bank because they had it in for him.

The open question at work was whether he had these episodes in public places, since someone could easily retaliate for his boorish behavior. He divulged gobs of personal data to everyone within earshot, and since he typically was screaming at the phone, earshot was quite some distance away.

Who needs scammers when we have the government. The Child Support agencies in nultiple states, like Illinois, have been double dipping and scamming the system for decades, blatantpy viloating regulations and laws. To complicate it, they even rewrote the regulations so that when someone brings up how blatant a violation of the constitution itself the program operates, the lawyers are very quickly disbarred and removed crom office.
Well, after all, what would one expect from a place that hired people like Obama and Hillary, people who managed to get disabrred due to violations and questionable ethics, just to run for the top position in the country.

That’s because when we do it, it is usually our first time doing something, or it is something we don’t do often. So it is awkward for us to go through and do. These people generally aren’t individuals, and even if they are, this is what they do “for a living”, meaning they know the process and exactly what to expect. Their detailed knowledge gives a sense of them trustworthiness, when in this circumstance if they thought about it, should trigger the opposite. After doing this everyday countless times a day, you learn the perfect things to say to push things as smoothly as possible forward.

Not to mention there are doctors visits involved and it takes sometimes years; in my case it took 7. It just kills me that people who need their disability jump through hoops to get it but people who are stealing poeple’s Information can just call or go online and get a check?!?!?! Absolutely ridiculous. Somebody isn’t doing their job!

Virtually the same thing happened to me. I had registered with MySSA 18 months ago when I was about to turn 65 so that I could restrict my Medicare to part A only. At the end of October I received a letter saying that my application for disability payments had been approved. I looked on-line and saw 2 things of interest:
1 I had not logged on since the preceding August, more than a year earlier.
2 There was an application for disability with a bank account that was not mine – and a phone number that was 1 digit away from my home number.
I went into the office with my passport and stopped the disability payment – although I just found out that they had already made one payment.
I locked my account – no phone or on-line access and left written notice that I did not intend to retire until I was 70 and I would appear in person. And they took photocopies / scans of my passport.
I was at SSA twice last week. First to validate that the attacker had not done anything else. Second to deal with the improper payment and update the documentation and get a letter I could use with the IRS, which views the fraudulent payment as income to me.
The attack is sophisticated. It is not going through the MySSA interface, or if it is, it is avoiding the session logging. I have a screenshot showing that I had not logged on since I had established the account – but the account had been modified. And getting a phone number only one away – we actually checked and called from the SSA office – ‘I was not present.’
I told the claims examiner in November when I went in that they were going to have a big fraud issue. I was right.
While I was waiting at the booth, the man next to me had a similar problem and he had talked to another man in the line waiting to go in with a similar issue.

John, per my comment below, this has also happened to my husband. May I ask, what type of letter did SSA give you to use with the IRS? Is it something standardized and/or did they seem to be confident that it would be “good enough” for that purpose? I ask because of course my husband has received a SSA-1099 showing the fraud as income to him. I was led to believe that our only recourse was to wait for a corrected SSA-1099…. which will probably take forever! I’d like to file our income taxes ASAP since it seems likely that a fraudulent tax return might be the thieves’ next step.

I’ve found that I can’t create a MySSA account because I have a freeze on my record at all four credit bureaus. So I’m hoping that if I can’t create the MySSA account in the first place, then the thieves can’t either, and can’t ask for it to be changed.

This article and these comments implicate a phone based system which appears to be fairly disconnected from the MySSA system.

I doubt that your credit freeze would protect you from this attack.

It sounds like the best tactic is an in person visit and a signed letter of intent (talk with the SSA in person to figure out how this would work).

At the end of the day, most attacks are Social Engineering as opposed to traditional electronic hacking. And this is no different. The SSA agent who handles the phone interface is clearly more powerful than the website which can be stifled by the credit freeze.

On the bright side, it sounds like you’re closer to retirement, so there will be less time for this cat-and-mouse game too evolve than some of us. And resigning to having our accounts pillaged isn’t sufficient, because as reported, we’re still liable for the misdirected income as far as the IRS is concerned.

What I don’t like is if we protect ourselves by putting a security freeze on all our credit reports, you can’t sign up for a MySSA online account in the first place. You protect yourself in one area and get punished for it in another area. Urgh!

I think that if I lifted the freeze at all bureaus for 48 hours I could then create the MySSA account. I’ve tried this at a single bureau and it will reinstate automatically on my schedule without charging the fee twice. I still must pay $5 each time for each bureau in my state, but that makes the total outlay $20, not $40.

To see what the process would be like I used the Block Electronic access link. It tells you that you can gain access again by calling or showing up. I tried to log in again, and that was blocked with a message.

“We have suspended electronic access to your personal information.

This suspension will not affect any Social Security benefits you receive. If you would like to allow electronic access to your information, please contact us.”

So I think that still allows for scamming via phone. It should be harder to do in person.

Unfortunately, security is reactive and scoped. This is a case of the left hand (phone management) not knowing or understanding what the right hand (electronic management) was doing or why. It’s trivial to overlook a threat as “that’s not my bailiwick”.

Going to an SSA office is a joke. Appointments are usually months away. If you just show up, you wait hours to talk to someone who does not know anything. Wife and I went to sign her up for Medicare A based on my earnings, and the clerk said neither she nor I were eligible, even though I had signed up months earlier. The supervisor said we had to make an appointment and return later. (What good would that do? We would probably have the same clerk again.) Another clerk intervened and helped us. The first clerk was only looking only at social security earnings, not Medicare earnings. I was in a position which was not covered by social security, but I still paid into Medicare, and I had more than sufficient Medicare earnings. On the bright side, no one will be able to withdraw from the social security account since there were no social security earnings.

We live overseas. Showing up to a SSAoffice is a nonstarter for us. Putting a credit freeze on our credit bureau accounts was quite difficult from here. My husband did that during a visit to the US. We do have MySSA accounts. I’d like to block online access but it’s the only way we have to communicate w SSA besides letter and Skype.

*There are no offices in Canada, instead, they offer a list of addresses within the USA that are “close” to a given province. Mexico has three offices.
** Most of these are in embassies. One notable exception is a consulate, the consulate is larger than the embassy, and the naming is an international charade (which has recently become international news…).
*** Some countries don’t have a US embassy “in country”, in which case it appears that whichever embassy (or consulate**) is responsible will also cover this.

The issue is that unless they mandate you show up in person with an ID or mail it in, this won’t go away. Currently you can simply change all data when talking to a live person providing the static info, so registering first provides little barrier. Adding users names and on-time pins (sent to the crook as his/her number is on your file) doesn’t solve a thing, as long as all this can be changed by again providing the static info.

So as long as a physical visit or a mandatory ID-mail in, is not needed, this will not be solved.

My husband “Harold” is a recent victim of a fraudulent social security claim, much like Ruth in this story. Harold is 67 and is eligible for SS but is not yet receiving SS benefits nor Medicare — he is still gainfully employed and has no need for Medicare (private medical insurance with a HSA). He received a snail mail letter about “his” recent call to begin benefits and to sign up for Medicare. Upon receipt of the letter, Harold logged into his MySS account (which he setup in 2015) and saw payment details and direct deposit info for a a Go Bank issued Green Dot card. The sad thing here is that the thief requested the benefits on a Thursday and payment was made less than a week later on the following Wednesday. We received the letter in the mail on that same Wednesday (the day before Thanksgiving), after the thief had already received the +$19k payment!

We’ve had several phone calls to SSA and one visit to our local SSA office since then and there are a few things I can add to this discussion:

(1) Even though our letter said that a call was made to apply for benefits, we were told by SSA representatives that the thief applied for benefits online. We asked how that could be since the husband’s SS.gov account was not compromised. As it turns out, the SSA, in their infinite wisdom, allows one to apply online without cross-checking to see if one already has a SSA.gov account. An online application bypasses a pre-existing SSA.gov account. So, all the thief had to do was go to https://www.ssa.gov/forms/apply-for-benefits.html and choose to apply for Retirement benefits. With a few static identifiers obtained in the Equifax breach (we assume), the thief easily got his/her $19k payday. Interestly, the Green Dot information the thief provided for payment was then used to update Harold’s SS.gov direct deposit information, which of course previously was blank since Harold has yet to file for benefits. This is so terribly backward that only the government could have come up with this methodology. Also, the thief claimed zero income for the last two years when completing the SS application and then the letter that was produced from the application has the earnings history printed on it, clearly showing Harold’s income for the last two years! Again, absolutely no cross checking is done to confirm information.

(2) Go to a SSA office rather than trying to clear up this mess on the phone with SSA. Our story: on the next business day upon receipt of the snail mail letter, we called the SSA 800 number. After a 45 minute hold time, we went through the entire story with the courteous representative. We could hear her typing up her report. I asked if we should go to our local SSA office and was told it wasn’t necessary. We were leaving on vacation the next day so I was glad to hear we did not need to waste half of our day at the SS office. A month went by and we kept receiving letters from SSA about upcoming payments and Medicare premiums. Nothing indicated that SSA knew it was a fraud. This was obviously a cause for concern. We went to our local SSA office early one morning and the wait was going to be several hours. We gave up on that and Harold called the SSA 800 number and after a 60 minute wait, the representative indicated that nothing had been done to reverse the application and that more monthly benefits were going to paid in the next week!!!
Thankfully we ourselves had called Go Bank (parent of Green Dot) as soon as this happened to report the fraud and have them close the account.
The representative on this second call split her time between blaming the representative on from our first call and also blaming us. Never did she recommend that we go to our local SSA office. Harold took the initiative and made an appointment at our local SSA office, as we wanted to make some progress on getting this resolved.
Our appointment was last week — eight weeks after we received the letter. The rep at the local office was astonished and disgusted to learn that we were never told by the SSA 800 reps that we should go to a local office. He said, “This will never be resolved by calling SSA 800 folks.”

(3) We were told not to remove the fraudulent direct deposit information on Harold’s ss.gov account. This was supposedly so that the Office of the Inspector General could use the information in their investigation.

(4) Therefore, you should immediately contact the thief’s bank (and I use the term “bank” loosely here, as Go Bank does not even use the Chex System to verify information before setting up an account) to let them know the account is fraudulent. This way, if SSA doesn’t get the payments STOPPED, then at least the thief shouldn’t get any more money deposited in the fraudulent account.

(4) After you go to the local SSA office, obtain the phone number for that office and the direct extension for a person there, preferably the representative you dealt with. This can help you avoid the long hold times on the phone. Because, trust me on this, you will continue to need to contact SSA.

Currently, we are trying to work through what to do about the incorrect SSA-1099 in filing our income taxes. Upon recommendation of our first SS phone representative, we blocked Harold’s SS.gov account so I hope if a corrected 1099 is actually issued that we will receive it in the mail and not have to rely on his now blocked SS.gov account to obtain it.

As a 28 year employee of SSA I can only advise people to go to their local office if their concern is a complex issue. The 800# is fine for completing change of address, direct deposit, or setting up an appointment. The people who work in the call centers are not trained to deal with any issue that involves in depth work or knowledge. The only thing they can do is write up a referral to the local servicing office, and unfortunately, some offices read those requests more timely than others. There is no way anyone should have to wait longer than a couple of days for an appointment that deals with this kind of problem. If the person on the other end of the line will not set you up quickly, ask to speak to a supervisor or some other management person. If you keep getting the run around, call your congressman’s office, explain to them what is going on and believe me, the Social Security office will be on your problem like someone lit a fire under them. Once the office hears from a reps office, your problem becomes a “congressional” and no management person wants that hanging around and becoming a PR problem. I am sorry you are having such difficult dealings with SSA. It should not be that way, but in 28 years, I have seen service to the public take a very bad dive.

Yeah, like me! Going on 3 years now! Ive worked my butt off at very good paying jobs since i was 17! Ive paid in a lot of money in my years of working and i really need it now I dont need the insurance, but i really need the income.

I procrastinated on putting in a credit freeze because I was also procrastinating on setting up online SSA account that needs credit bureau confirmation. Then Equifax happened.

So, I went to SSA.gov to sign up for online account. Guess what credit bureau SSA was using for confirmation? Yeah! Equifax! SSA.gov told me they couldn’t set up account. But they did give me an option to “Block Online Access.” So I did. Supposedly, this will block automatic telephone and online access – Super Duper. While your comment “it’s unclear if blocking access this way would have stopped ID thieves who manage to speak with a live SSA representative” is appropriate, chances are the risk of that is much lower. Cutting off points of access should help.

BTW love your site. Recommend it. Some day I’ll stop procrastinating about buying some of your books. Looks like good reading material while I’m sitting in line at the SSA office.

Police detective who specializes in identity theft here. An even bigger story is the SSA’s failure to address the issue by taking preventive steps to stop it or assist law enforcement in investigation. They will not respond to law enforcement requests to provide information, even with a court order. They claim to have “exclusive jurisdiction” and that their internal investigation unit – the Office of Inspector General for the SSA conducts the investigations. the problem is they are like a ghost unit. They are rumored to exist but no one can get a hold of them. Local and state agencies are inundated with SSA fraud reports with no legitimate avenue to assist the victims.

As for the forms I filed with SSA:
“Report of Confidential Social Security Benefit Information”
‘Statement of Claimant or Other Person”

In the statement form I noted that I did not intend to claim benefits until I turn 70. I earlier filled out the statement form requesting that my account be locked and require my physical presence with ID to unlock.

I would note that my credit accounts were locked when the fraud occurred.

I had applied for disability. It has taken over 3 and half years to be approved. You would think they would hurry and send me some money. I am going to lose my house and everything i own if they dont hurry. It is a shame that people that cant work have to go through this.

I won my case in Augest of last year. Took 3 and a half years. Did not get my first back payment until December. Almost 5 flipping months. And you only get half of the back pay you are owed. They hold the rest to make sure you are not working and to see if they can find anything you might have lied about reporting all income while applying for disability. Also they take out lawyer fees. My fee was the maximum allowed. $6,000.00. Still waiting for the rest of back pay. I did recieve my first monthly check already.

I don’t know who provided the information you cite in your comment, but the only people who have back pay withheld from disability payments are those receiving SSI or if there is a workman’s comp issue involved. No back pay is held to see if you are going to work or to see if you “lied” on your application. If this info was given to you by an SSA employee in a field office, I suggest you go back to that particular office and ask to speak to a management person. It is incorrect.

Due to this post, just logged back in to MySSA for the first time since June. SSA is indeed now offering additional 2FA via text/email. Additionally, they also are offering a 3rd verification (3FA?) as described below.

——————
You can opt for extra security to provide your account with an extra level of protection. If you would like to add extra security, you must answer a financial verification question. Adding extra security does not change the way that you sign in to your account. You must still sign in with your username, password, and a unique security code we will provide each time you sign in.
If the following statements are true for you, then extra security is an option for you:

I am comfortable answering an identity verification question online.

I am comfortable answering a financial verification question online.

How do I sign up for extra security?
When you first register, you must verify your identity by answering a security question. We will ask for one of the following:
the last 8 digits of your Visa, MasterCard or Discover Card, or
information from your W-2 tax form, or
information from a 1040 Schedule SE (self-employment) tax form.
Finishing this process usually takes 5 to 10 business days. An upgrade code will be mailed to your home address. When you sign in to your account, you will be asked to enter the upgrade code in order to finish adding your extra security. In the meantime, you can sign in to your account using your username, password, and a unique security code we will provide each time you sign in.
—————–

I am amazed at the way this played out, and I appreciate this info being shared as obviously this is a major hole in the policies that allowed this type breakdown. I’m confident the Social Secururity Adm. has put dafeguards to sop this reoccurring.

Please note that extra security on your MySSA account does not protect you from this type of fraud. My husband’s account had 2FA setup months ago and it was still in place. His MySSA account was not compromised. The thief just bypassed it, utilizing a huge SSA loophole. From my long post above: “As it turns out, the SSA, in their infinite wisdom, allows one to apply online without cross-checking to see if one already has a SSA.gov account. An online application bypasses a pre-existing SSA.gov account.”

SSA site lets me specify ANY PHONE NUMBER to get security code for login.

It’s been a while since I last logged in. I receive a message that “Security has improved since your last login” and am asked how I want to receive a security code. When I pick text message, the site allows me to provide a phone number, rather than use on file. very secure .

Here’s the 411. In order to access your my social security page, you need either a cell phone or email to access a security code that will let you access your page. Note: this is a one time only code that last for only 10 minutes and each time you go to your page, you have to enter a different code. Without it, NO ONE CAN ACESS YOUR ACCOUNT. Never give your information to ANYONE!!!!!.

Yes, but his case is likely special, as he had NOT setup 2FA before. So the text message was NOT to verify his acount, but to verify the phone number as part of ADDING the phone as 2nd factor. So that is to prevent him from making a typo in the number and locking himself out.

John M. Weber, please note that extra security on your MySSA account does not protect you from this type of fraud. My husband’s account had 2FA setup months ago and it was still in place. His MySS account was not compromised. The thief just bypassed it, utilizing a huge SSA loophole. From my long post above: “As it turns out, the SSA, in their infinite wisdom, allows one to apply online without cross-checking to see if one already has a SS.gov account. An online application bypasses a pre-existing SS.gov account.”

My husband did not give his information to ANYONE yet he is victim of this fraud. Note also that we’ve done all we can to prevent identity theft, including freezing all of our credit back when the Equifax breach happened. Since this fraudulent SS claim mess, we’ve also frozen our ChexSystems profile, which I suggest everyone do too. It prevents unauthorized bank account openings. Note that it did not help in the instance of my husband’s SS fraud since Go Bank/Green Dot does not do any sort of security check before opening an account. Really, the SSA should not allow payments to go to a “bank” with such lax security measures as Go Bank, but I suppose that’s a topic for another day.

ALL government agencies that offer walk-in services should offer an online access -disable- feature based upon SSN which can only be turned on or off by a walk-in appointment verified with photo-ID in their camera equipped (I assume) offices.

My husband learned he had been collecting Social Security for several months when Medicare denied paying for a flu shot. Turns out the letter at the end of his Medicare number changed when “he”started receiving benefits. They also changed to our previous address, so we received nothing by snail mail. We’ve lived at our current address since December, 1991. The SSA agent who helped us in person, their records indicated the claim was filed in person. SSA told us by phone to ignore the 1099.

Doesn’t take a scammer to get your personal information. Social security sent my information to the wrong person and denied doing it even though I received a message from the person they sent it to. The message even included a picture of the letter showing my information, including my social security number.

I can’t set one up because the “credit history” used for the questions is completely wrong. None of the questions reflect any event in my history. Interestingly, the questions are always the same, in the same order, every. single. time.

Not a few others have the identical problem. The SSA calls it a “rare problem, happening in only a very few cases”.

A persistent scammer will eventually get the acceptable answers before I could. The probablility is high, given the questions.

Of course, I *could* travel to one of the SSA offices, difficult as it would be and just hurry up and wait.